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THE CLAIMS 

A complete listing of all of originally filed Claims 1 - 33 is provided below. A status 
identifier is provided for each claim in a parenthetical expression following each claim 
number. 

1. (Previously Presented) A distributed firewall (DFW) for use on an end system, 
comprising: 

an end system authentication component for providing user authentication 
for connection attempts from users attempting to access the end system via a network; 

an end system access control component for providing purpose authorization 
for authenticated users based on rules in a connection policy associating users with 
purposes; and 

an end svstem enforcement component for enforcing the connection policy 
rule for one of the authenticated users from whom traffic is received at the end system; dtB4 

wherein the end svstem authentication component utilizes an aggregate of 
the users in the connection policy to authenticate at least one of the users. 

2. (Currently Amended) The DFW of claim 1, wherein the end system 
authentication component utilizes Internet key exchange (IKE) protocol to authenticate users 
in IKE main mode (IVIIVI) based on the aggregate of users in the connection policy. 

3. (Currently Amended) The DFW of claim 2, wherein the end system 
authentication component utilizes the rule in the connection policy associated with the 
authenticated user in IKE quick mode (QIVI) to complete the authentication. 

4. (Currently Amended) The DFW of claim 3, wherein the end system 

authentication component transmits a secure notify message to the authenticated user when 
the authenticated user sends traffic in QIVI that exceeds an authority governed by the rule in 
the connection policy associated with the authenticated user. 
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5. (Currently Amended) The DFW of claim 3, wherein the end system 
enforcement component utilizes Internet protocol security (IPSec) protocol to maintain 
security of communications from the authenticated user when the communications are 
within the rule in the connection policy. 

6. (Currently Amended) The DFW of claim 5, wherein the end system 
enforcement component enables IPSec on a socket for communications from the 
authenticated user and binds the socket in exclusive mode so that the context of the binder 
of the socket is preserved. 

7. (Currently Amended) The DFW of claim 1, further comprising an end system 
inspection component for inspecting packets from an authenticated user. 

8. (Original) The DFW of claim 1 , wherein the connection policy is defined 
in a pluggable policy component. 

9. (Original) The DFW of claim 8, wherein the pluggable policy component 
is downloaded from a centralized administrative policy. 

10. (Original) The DFW of claim 8, wherein the pluggable policy component 
is modifiable on the end system. 

1 1 . (Currently Amended) The DFW of claim 1 0, further comprising an end system 
access control component through which the connection policy may be defined. 

1 2. (Currently Amended) The DFW of claim 1 , further comprising an end system 
access control component having a user interface (Ul) through which the connection policy 
is defined. 
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1 3. (Withdrawn) A method of providing user authentication/authorization in a 
distributed firewall on an end system, comprising the steps of: 
receiving a connection request from a user; 

performing main mode (MM) authentication of the connection request via internet 
l<ey exchange (iKE) protocol based on an aggregate of users listed in a connection policy; 

receiving communications from the user; 

performing quick mode (QM) authentication of the communications via IKE based on 
a rule for the user in the connection policy; 

completing the QM authentication when the communications are within a scope of 
the rule for the user in the connection policy; and 

enforcing the rule for the user for subsequent communication when the QM 
completes. 

14. (Withdrawn) The method of claim 13, wherein the step of performing MM 
authentication comprises the steps of: 

checking a certificate of the connection request against an aggregate listing of all 
authorized users in the connection policy; and 

completing MM authentication when the certificate matches an entry in the 
aggregate listing. 

15. (Withdrawn) The method of claim 13, further comprising the step of 
transmitting a secure notify message to the user when the communications attempt to 
exceed the rule for the user in the connection policy. 

16. (Withdrawn) The method of claim 13, wherein the step of enforcing the rule 

for the user for subsequent communication comprises the steps of enabling IPSec on a 
socket for the communication, and forcing the socket to be bound in exclusive mode. 
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1 7. (Withdrawn) The method of claim 1 3, wherein the end system has multiple 
accounts thereon, wherein the step of receiving a connection request from a user includes 
the step of receiving a connection request having an account ID hint included therewith, and 
wherein the step of performing main mode (MM) authentication of the connection request 
via Internet key exchange (IKE) protocol includes the step of performing MM authentication 
of the connection request via IKE based on an aggregate of users listed in a connection 
policy for one of the accounts identified by the account ID hint. 

18. (Withdrawn) The method of claim 17, wherein the step of performing quick 
mode (QM) authentication of the communications via IKE based on a rule for the user in the 
connection policy comprises the step of performing QM authentication based on a rule for 
the user in the connection policy for one of the accounts identified by the account ID hint. 

19. (Withdrawn) The method of claim 13, further comprising the step of 
downloading the connection policy from a central administration. 

20. (Withdrawn) The method of claim 13, further comprising the steps of 
displaying an access control user interface, receiving input from a user of the end system, 
using the input to define the rules of the connection policy. 

21. (Withdrawn) In a computer system having a graphical user interface including 
a display and a user Interface selection device, a method of displaying and selecting a 
connection policy on the display comprises the steps of: 

retrieving a set of applications processes to which access controls may be defined; 
retrieving a listing of authorized users; 

displaying the set of applications in association with users who are authorized to 
access each application defined in the connection policy; 
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receiving a user input signal indicating a desired modification to the displayed 
associations and thereafter modif/ing the connection policy in accordance with the user 

input; and 

displaying the set of applications in association with a modified list of users who are 
authorized to access each application defined in the modified connection policy. 

22. (Withdrawn) The method of claim 21, wherein the step of receiving a user 
input indicating a desired modification to the displayed associations comprises the step of 
receiving a user input indicating a desired addition of a user for a selected application 
process, further comprising the steps of displaying a list of all authorized users, receiving 
an authorized user selection input to add a new authorized user association to the selected 
application process. 

23. (Withdrawn) The method of claim 21, wherein the step of receiving a user 
input indicating a desired modification to the displayed associations comprises the step of 
receiving a user input indicating a desired removal of a user for a selected application 
process, further comprising the steps of displaying a list of all authorized users associated 
with the selected application process, receiving an authorized user deletion Input to remove 
an authorized user association from the selected application process. 

24. (Withdrawn) The method of claim 21, further comprising the steps of 

displaying a user selectable Indicator to secure the computer system, receiving a user Input 
selection of the user selectable indicator, and thereafter securing the computer system In 
accordance with the connection policy. 

25. (Withdrawn) The method of claim 24, further comprising the steps of 

displaying a user selectable Indicator indicating the that the computer system Is secure, 
receiving a user input selection of the user selectable indicator, and thereafter un-securing 
the computer system. 
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26. (Withdrawn) A computer-readable medium having computer-executable 
instruction for performing the steps of receiving a connection request from a user, 
performing main mode (MM) authentication of the connection request via Internet key 
exchange (IKE) protocol based on an aggregate of users listed in a connection policy, 
receiving communications from the user, performing quick mode (QM) authentication of the 
communications via IKE based on a rule for the user in the connection policy, completing the 
QM authentication when the communications are within a scope of the rule for the user in 
the connection policy, and enforcing the rule for the user for subsequent communication 
when the QM completes. 

27. (Withdrawn) The method of claim 26, wherein the step of performing MM 
authentication comprises the steps of checking a certificate of the connection request 
against an aggregate listing of all authorized users in the connection policy, and completing 
MM authentication when the certificate matches an entry in the aggregate listing. 

28. (Withdrawn) The method of claim 26, further comprising the step of 
transmitting a secure notify message to the user when the communications attempt to 
exceed the rule for the user in the connection policy. 

29. (Withdrawn) The method of claim 26, wherein the step of enforcing the rule 

for the user for subsequent communication comprises the steps of enabling IPSec on a 
socket for the communication, and forcing the socket to be bound in exclusive mode. 

30. (Withdrawn) The method of claim 26, wherein the end system has multiple 
accounts thereon, wherein the step of receiving a connection request from a user includes 
the step of receiving a connection request having an account ID hint included therewith, and 
wherein the step of performing main mode (MM) authentication of the connection request 
via Internet key exchange (IKE) protocol includes the step of performing MM authentication 
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of the connection request via IKE based on an aggregate of users listed in a connection 
policy for one of the accounts identified by the account ID hint. 

31. (Withdrawn) The method of claim 30, wherein the step of performing quick 
mode (QM) authentication of the communications via IKE based on a rule for the user in the 
connection policy comprises the step of performing QM authentication based on a rule for 
the user in the connection policy for one of the accounts identified by the account ID hint. 

32. (Withdrawn) The method of claim 26, further comprising the step of 
downloading the connection policy from a central administration. 

33. (Withdrawn) The method of claim 26, further comprising the steps of 
displaying an access control user interface, receiving input from a user of the end system, 
using the input to define the rules of the connection policy. 
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